From: Randy Dunlap <randy.dunlap@oracle.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/6] SELinux: change Kconfig to use select instead of depends
Date: Wed, 10 Oct 2007 08:40:31 -0700 [thread overview]
Message-ID: <470CF26F.10606@oracle.com> (raw)
In-Reply-To: <1192018350.2687.16.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Tue, 2007-10-09 at 16:28 -0700, Randy Dunlap wrote:
>> On Wed, 10 Oct 2007 09:19:55 +1000 (EST) James Morris wrote:
>>
>>> From: Eric Paris <eparis@redhat.com>
>>>
>>> Changes the security/selinux/Kconfig to use select instead of depends
>>> for most of the SELinux requirements. This allows the SELinux option to
>>> show up when people do a make config without already knowing they had to
>>> enable audit and other non-obvious choices. Added a depends on SECURITY
>>> (which previously existed through SECURITY_NETWORK) so that SELinux
>>> would not always show up, but would be easy and intuitive to find.
>>>
>>> Signed-off-by: Eric Paris <eparis@redhat.com>
>>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>> Signed-off-by: James Morris <jmorris@e.namei>
>>> ---
>>> security/selinux/Kconfig | 7 ++++++-
>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
>>> index b32a459..40b97e6 100644
>>> --- a/security/selinux/Kconfig
>>> +++ b/security/selinux/Kconfig
>>> @@ -1,6 +1,10 @@
>>> config SECURITY_SELINUX
>>> bool "NSA SELinux Support"
>>> - depends on SECURITY_NETWORK && AUDIT && NET && INET
>>> + depends on SECURITY
>>> + select SECURITY_NETWORK
>>> + select AUDIT
>>> + select NET
>>> + select INET
>>> select NETWORK_SECMARK
>>> default n
>>> help
>> I doth protest. Enabling the entire NET subsystem thru a hidden
>> select is awful. Select should be used (sparingly) to enable
>> library code only. If someone wants NET enabled, they should
>> enable it overtly, not covertly.
>
> Does that apply to all the options, or only to NET (e.g. is it ok to
> select AUDIT)? I thought that this patch came out of earlier
> discussions about proper use of select vs. depends. It may have gone
> too far, but I'm not sure it should be discarded entirely.
AUDIT isn't quite library code, still I don't have a (big) problem with
selecting it or NETWORK_SECMARK. (other than select is evil :)
OTOH, NET and INET are large config options, not library-like code, and
should not be selected.
--
~Randy
next prev parent reply other threads:[~2007-10-10 15:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-09 23:18 [PATCH 0/6] SELinux patches for 2.6.24 James Morris
2007-10-09 23:19 ` [PATCH 1/6] SELinux: change Kconfig to use select instead of depends James Morris
2007-10-09 23:28 ` Randy Dunlap
2007-10-09 23:50 ` James Morris
2007-10-10 0:16 ` Randy Dunlap
2007-10-10 12:12 ` Stephen Smalley
2007-10-10 15:40 ` Randy Dunlap [this message]
2007-10-10 19:53 ` Valdis.Kletnieks
2007-10-10 19:57 ` Randy Dunlap
2007-10-09 23:20 ` [PATCH 2/6] SELinux: tune avtab to reduce memory usage James Morris
2007-10-09 23:21 ` [PATCH 3/6] SELinux: Improve read/write performance James Morris
2007-10-09 23:22 ` [PATCH 4/6] SELinux: policy selectable handling of unknown classes and perms James Morris
2007-10-09 23:23 ` [PATCH 5/6] SELinux: improve performance when AVC misses James Morris
2007-10-09 23:23 ` [PATCH 6/6] SELinux: kills warnings in Improve SELinux " James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470CF26F.10606@oracle.com \
--to=randy.dunlap@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.